Blog

Criminals have ALWAYS Followed the Money…

Financial transactions have always been a risk, both with criminals looking to steal the money when at rest or in transit, and criminals committing fraud or money laundering. We’ve had counterfeit currency, fake checks, ATM card skimming, and the like. Why wouldn’t we think that crime wouldn’t move to cryptocurrency?

Few understand that consumers need assurances through trusted financial institutions with (security) certified processes and technologies. An awakening is needed in the recently emerged Cryptocurrency market. The value of your crypto coins depend upon it!

Even within historically trusted encryption methods of the past, safety in e-Business has always a race against time. How long will it take to brute force a cypher through an off-line attack and can I do it before keys are rotated? How long will a given set of ciphers be considered strong and when will they need replacing?

Weren’t countermeasures for such concerns designed into end-to-end cryptocurrency transactions?

In a recent review of Cryptocurrency Mining by Malwarebytes, we see that in a mere 10 minutes an attacker can break a block in this gravy train. Blocks must be processed end-to-end within that timeframe.  Leave it to Coinhive to invent a miner and not keep it under control. Sophos researchers found Coinhive infestations in nineteen Android apps this past week (Computing). A zero-day flaw in Telegram, now patched, also installed a miner that pulled in Zcash and Monero (SecureList).  An attack is now in the wild in search of weak cryptocurrency implementations.

Cryptocurrency is not without its share of fraud. Look no further than LoopX who recently disappeared, along with $4.5M in ICO (Naked Security).  It’s no wonder that the US SEC has recommended regulations.

References:

1. https://www.malwarebytes.com/blog/security-world/2017/12/how-cryptocurrency-mining-works-bitcoin-vs-monero
2. https://www.computing.co.uk/ctg/news/3026552/researchers-find-javascript-cryptomining-code-in-19-android-apps
3. https://securelist.com/zero-day-vulnerability-in-telegram/83800/
4. https://nakedsecurity.sophos.com/2018/02/14/cryptocurrency-startup-loopx-exit-scams-with-4-5m-in-ico/

After decades of progressive responsibility in delivering and supporting IT services, I transitioned into Information Security in 2001. While evolving to master the needed skills and concepts in security, I was left wondering why security was positioned as its own silo. In my world, security is merely a quality of service which is baked in.

As my security career continued, I’d constantly shared my vision to influence internal stakeholders and eventually the clients to which I consulted. In my perspective, security is merely contextual awareness which clarifies risk, influences management control objectives, defines service and service levels, and selectively positions security roles and functions to inject expertise, verify direction, and compensates for conflicts of interest.

I now look to “Bake Security In” as a Senior Security Consultant in CGI’s New England business unit. With 8 SOCs across the globe, and over 1000 cyber professionals, I am not alone. CGI has had the 6th fastest growth in Cybersecurity Consulting and will always strive to be the very best in its industry.  It’s all about quality of service and client satisfaction, isn’t it?? 

Anyone need a new partner in the kitchen??

I

In my last article, we explored A Simplified Policy Framework to create effective management documents to set direction and measure compliance to control objectives regarding security. The Process was a centerpiece to the discussion. In this article, we’ll take it a step further to see the double dividend in taking a process-centric approach.

Security is all about due diligence – ensuring proper alignment to the depth and breadth of enterprise and business-specific controls managing the confidentiality, integrity, and availability of information, systems, and processing facilities. The analysis can be exhausting – especially if you have to do it all at once while your Agile release train flies by.

In my world, we have help – at three levels of the organization: business process, security sub-process, and security service. A time-driven information risk management approach would quickly assess the impact to change to these three levels and engage the principals assigned to those areas.

At the Initial state of Information Security program development, unacceptable business risk surfaces due to the lack of a security program, causing a designated owner to be assigned and Information Security Management process to be created. A new business process owner arrives at the table.

Lack of frameworks for policy, control, classification, and risk management would also result in this highest level of process impact. Decisions in each of these areas impacts all business processes equally. Strategies for all must be done in the initial phase of Information Security program development. Senior managers should be appointed to an Information Security Steering Committee and tasked with dealing with this change in strategy.

Experts say the Information Security Management process defines sub-processes closely aligned to the Code of Practice for Information Security Management (ISO 27002). Each would have a manager assigned. Security practices include: Information Security Policies, Organization of Information Security, Human Resource Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operation Security, Communication Security, System Development, Supplier Information Security Incident Management Business Continuity Management, and Compliance. If a single owner is not possible, allow for several to partner in the stewardship of the sub-process.

At an early stage of maturity, security services may not be defined and service levels enforced. A risk assessment may trigger the need for service formalization and measurement as part of the action plan, or ad-hoc service design and construction may persist.

In summary, new rapid development, Agile methodologies create a greater dependency on a top-down, process-centric, multi-layered methodology to identify, assess, treat, and manage risk to information, systems, and processing facilities. Security due diligence becomes a cross-functional, organizational strategy, empowering direct and in-direct resources to work together to manage change.